[Question] find all subjects with permissions to access that subject.

[jg-synth]

I am using the RBAC model provided in your list of examples. I would like to query for a specific object (or list of objects) to find all subjects with permissions to access that subject.

In other words, I am looking for an API similar to getPermissionsForUser except that it would accept an object and return the list of permissions that permit access to that object.

I found another question which is similar but I don't think the solution meets my requirements. That is, I am not looking for implicit permissions for a user and I cannot use the BatchEnforce API because I do not know the subject IDs that I am querying for.

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Your policy:

p, workspace1, data1, read
g, alice, workspace1
g, bob, workspace1

Your request(s):

I am looking for something like:

getPermissionsForObject(data1)

-> [(p, workspace1, data1, read), (g, alice, workspace1), (g, bob, workspace1)]

Thanks for your time,

Jake

[casbin-bot]

@tangyang9464 @closetool @sagilio

[hsluoyz]

@JalinWang @imp2002 we need to add the new API

/cc @tangyang9464

[tangyang9464]

@jg-synth I think this can be achieved by combining GetFilteredPolicy and GetUsersForRole. @hsluoyz Since the sub's index is uncertain, is this best done by the user? Or continue to default sub index to the first?

[hsluoyz]

@tangyang9464 we can safely assume the sub is at the 1st index for now.

[tangyang9464]

I am looking for something like:

getPermissionsForObject(data1)

-> [(p, workspace1, data1, read), (g, alice, workspace1), (g, bob, workspace1)]

@jg-synth Do you just need to return [workspace1, alice, bob]?

That is, I am not looking for implicit permissions for a user

Do you need to return the entire related policy (p, workspace1, data1, read) or just the related sub (workspace1)? I'm not very clear about your purpose because you also need to return the whole g-policy g, alice, workspace1

[JalinWang]

@tangyang9464 we can safely assume the sub is at the 1st index for now.

#1015 This issue requires dynamic sub's index.

[jg-synth]

Thanks all for your input. In response to your questions and comments:

I think this can be achieved by combining GetFilteredPolicy and GetUsersForRole.

@tangyang9464 Yes, this looks like it would work!

Do you just need to return [workspace1, alice, bob]?

@tangyang9464, I think that I need more than just [workspace1, alice, bob], but I might not need the entire policy document - and I might not need the groups either.

Here's an example of the sort of view I'm trying to build. To build it, my intention is to fetch [(workspace1, read)] which is the list of objects with access to data1 and their corresponding permission.

I would welcome any further thoughts but I think you've given me enough to consider this resolved - please do feel free to close it.

Thanks for taking the time to help.